/[smeserver]/rpms/qpsmtpd/sme8/0015-add-TCPLOCAL-variables-to-qp-connection.patch
ViewVC logotype

Contents of /rpms/qpsmtpd/sme8/0015-add-TCPLOCAL-variables-to-qp-connection.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Sun Nov 14 20:50:20 2010 UTC (14 years ago) by slords
Branch: MAIN
CVS Tags: qpsmtpd-0_84-3_el5_sme, qpsmtpd-0_84-6_el5_sme, qpsmtpd-0_84-2_el5_sme, qpsmtpd-0_84-5_el5_sme, qpsmtpd-0_84-8_el5_sme, qpsmtpd-0_84-9_el5_sme, qpsmtpd-0_84-4_el5_sme, qpsmtpd-0_84-7_el5_sme, HEAD
* Sun Nov 14 2010 <slords@mail.com> 0.84-2.sme
- Sync with upstream git repo.
- Fix require_resolvable_fromhost doesn't work [SME: 6369]
- Fix TLS security defaults [SME: 6366]
- Fix fatal errors when mail has no headers [SME: 6345]

1 From 671a6953b0c9503717bda10dd07f434cbd302c9c Mon Sep 17 00:00:00 2001
2 From: Matt Simerson <matt@tnpi.net>
3 Date: Tue, 11 May 2010 00:55:53 -0400
4 Subject: add TCPLOCAL* variables to $qp->connection
5
6 (patch remade against latest rspier/qpsmtpd)
7
8 added remote_port, local_ip, local_port, and local_host to $qp->connection, as the p0f plugin relies on it.
9 added notes to TcpServer.pm and the p0f plugin noting the dependence, and the lack of support for models other than tcpserver.
10
11 Signed-off-by: Robert <rspier@pobox.com>
12 ---
13 lib/Qpsmtpd/TcpServer.pm | 21 ++++++++++++--
14 plugins/greylisting | 68 ++++++++++++++++++++++++++++++++++++++-------
15 plugins/ident/p0f | 8 +++++
16 3 files changed, 83 insertions(+), 14 deletions(-)
17
18 diff --git a/lib/Qpsmtpd/TcpServer.pm b/lib/Qpsmtpd/TcpServer.pm
19 index 3398c3e..07d8d16 100644
20 --- a/lib/Qpsmtpd/TcpServer.pm
21 +++ b/lib/Qpsmtpd/TcpServer.pm
22 @@ -30,7 +30,10 @@ my $first_0;
23 sub start_connection {
24 my $self = shift;
25
26 - my ($remote_host, $remote_info, $remote_ip);
27 + my (
28 + $remote_host, $remote_info, $remote_ip, $remote_port,
29 + $local_ip, $local_port, $local_host
30 + );
31
32 if ($ENV{TCPREMOTEIP}) {
33 # started from tcpserver (or some other superserver which
34 @@ -38,6 +41,10 @@ sub start_connection {
35 $remote_ip = $ENV{TCPREMOTEIP};
36 $remote_host = $ENV{TCPREMOTEHOST} || "[$remote_ip]";
37 $remote_info = $ENV{TCPREMOTEINFO} ? "$ENV{TCPREMOTEINFO}\@$remote_host" : $remote_host;
38 + $remote_port = $ENV{TCPREMOTEPORT};
39 + $local_ip = $ENV{TCPLOCALIP};
40 + $local_port = $ENV{TCPLOCALPORT};
41 + $local_host = $ENV{TCPLOCALHOST};
42 } else {
43 # Started from inetd or similar.
44 # get info on the remote host from the socket.
45 @@ -48,6 +55,10 @@ sub start_connection {
46 $remote_ip = inet_ntoa($iaddr);
47 $remote_host = gethostbyaddr($iaddr, AF_INET) || "[$remote_ip]";
48 $remote_info = $remote_host;
49 +### TODO
50 +# set $remote_port, $local_ip, and $local_port. Those values are
51 +# required for the p0f plugin to function.
52 +### /TODO
53 }
54 $self->log(LOGNOTICE, "Connection from $remote_info [$remote_ip]");
55
56 @@ -61,8 +72,12 @@ sub start_connection {
57 $0 = "$first_0 [$remote_ip : $remote_host : $now]";
58
59 $self->SUPER::connection->start(remote_info => $remote_info,
60 - remote_ip => $remote_ip,
61 - remote_host => $remote_host,
62 + remote_ip => $remote_ip,
63 + remote_host => $remote_host,
64 + remote_port => $remote_port,
65 + local_ip => $local_ip,
66 + local_port => $local_port,
67 + local_host => $local_host,
68 @_);
69 }
70
71 diff --git a/plugins/greylisting b/plugins/greylisting
72 index 975563c..ebdec8f 100644
73 --- a/plugins/greylisting
74 +++ b/plugins/greylisting
75 @@ -106,6 +106,23 @@ directories, if determined, supercede I<db_dir>.
76
77 =back
78
79 +=item p0f
80 +
81 +Enable greylisting only when certain p0f criteria is met. The single
82 +required argument is a comma delimited list of key/value pairs. The keys
83 +are the following p0f TCP fingerprint elements: genre, detail, uptime,
84 +link, and distance.
85 +
86 +To greylist emails from computers whose remote OS is windows, you'd use
87 +this syntax:
88 +
89 + p0f genre,windows
90 +
91 +To greylist only windows computers on DSL links more than 3 network hops
92 +away:
93 +
94 + p0f genre,windows,link,dsl,distance,3
95 +
96 =head1 BUGS
97
98 Database locking is implemented using flock, which may not work on
99 @@ -116,6 +133,8 @@ use something like File::NFSLock instead.
100
101 Written by Gavin Carr <gavin@openfusion.com.au>.
102
103 +Added p0f section <mattsimerson@cpan.org> (2010-05-03)
104 +
105 =cut
106
107 BEGIN { @AnyDBM_File::ISA = qw(DB_File GDBM_File NDBM_File) }
108 @@ -123,22 +142,23 @@ use AnyDBM_File;
109 use Fcntl qw(:DEFAULT :flock);
110 use strict;
111
112 -my $VERSION = '0.07';
113 +my $VERSION = '0.08';
114
115 my $DENYMSG = "This mail is temporarily denied";
116 my ($QPHOME) = ($0 =~ m!(.*?)/([^/]+)$!);
117 my $DB = "denysoft_greylist.dbm";
118 my %PERMITTED_ARGS = map { $_ => 1 } qw(per_recipient remote_ip sender recipient
119 - black_timeout grey_timeout white_timeout deny_late mode db_dir);
120 + black_timeout grey_timeout white_timeout deny_late mode db_dir p0f );
121
122 my %DEFAULTS = (
123 - remote_ip => 1,
124 - sender => 0,
125 - recipient => 0,
126 - black_timeout => 50 * 60,
127 - grey_timeout => 3 * 3600 + 20 * 60,
128 - white_timeout => 36 * 24 * 3600,
129 - mode => 'denysoft',
130 + remote_ip => 1,
131 + sender => 0,
132 + recipient => 0,
133 + black_timeout => 50 * 60,
134 + grey_timeout => 3 * 3600 + 20 * 60,
135 + white_timeout => 36 * 24 * 3600,
136 + mode => 'denysoft',
137 + p0f => undef,
138 );
139
140 sub register {
141 @@ -206,6 +226,9 @@ sub denysoft_greylist {
142 return DECLINED if $self->qp->connection->notes('whitelisthost');
143 return DECLINED if $transaction->notes('whitelistsender');
144
145 + # do not greylist if p0f matching is selected and message does not match
146 + return DECLINED if $config->{'p0f'} && !$self->p0f_match( $config );
147 +
148 if ($config->{db_dir} && $config->{db_dir} =~ m{^([-a-zA-Z0-9./_]+)$}) {
149 $config->{db_dir} = $1;
150 }
151 @@ -214,8 +237,10 @@ sub denysoft_greylist {
152 my $dbdir = $transaction->notes('per_rcpt_configdir')
153 if $config->{per_recipient_db};
154 for my $d ($dbdir, $config->{db_dir}, "/var/lib/qpsmtpd/greylisting",
155 - "$QPHOME/var/db", "$QPHOME/config") {
156 - last if $dbdir ||= $d && -d $d && $d;
157 + "$QPHOME/var/db", "$QPHOME/config", '.' ) {
158 + last if $dbdir && -d $dbdir;
159 + next if ( ! $d || ! -d $d );
160 + $dbdir = $d;
161 }
162 my $db = "$dbdir/$DB";
163 $self->log(LOGINFO,"using $db as greylisting database");
164 @@ -292,5 +317,26 @@ sub denysoft_greylist {
165 return $config->{mode} eq 'testonly' ? DECLINED : DENYSOFT, $DENYMSG;
166 }
167
168 +sub p0f_match {
169 + my $self = shift;
170 + my $config = shift;
171 +
172 + my $p0f = $self->connection->notes('p0f');
173 + return if !$p0f || !ref $p0f; # p0f fingerprint info not found
174 +
175 + my %valid_matches = map { $_ => 1 } qw( genre detail uptime link distance );
176 + my %requested_matches = split(/\,/, $config->{'p0f'} );
177 +
178 + foreach my $key (keys %requested_matches) {
179 + next if !defined $valid_matches{$key}; # discard invalid match keys
180 + my $value = $requested_matches{$key};
181 + return 1 if $key eq 'distance' && $p0f->{$key} > $value;
182 + return 1 if $key eq 'genre' && $p0f->{$key} =~ /$value/i;
183 + return 1 if $key eq 'uptime' && $p0f->{$key} < $value;
184 + return 1 if $key eq 'link' && $p0f->{$key} =~ /$value/i;
185 + }
186 + return;
187 +}
188 +
189 # arch-tag: 6ef5919e-404b-4c87-bcfe-7e9f383f3901
190
191 diff --git a/plugins/ident/p0f b/plugins/ident/p0f
192 index 720adca..98b56ec 100644
193 --- a/plugins/ident/p0f
194 +++ b/plugins/ident/p0f
195 @@ -18,6 +18,14 @@ things based on source OS.
196
197 All code heavily based upon the p0fq.pl included with the p0f distribution.
198
199 +=head1 Environment requirements
200 +
201 +p0f requires four pieces of information to look up the p0f fingerprint:
202 +local_ip, local_port, remote_ip, and remote_port. TcpServer.pm has been
203 +has been updated to provide that information when running under djb's
204 +tcpserver. The async, forkserver, and prefork models will likely require
205 +some additional changes to make sure these fields are populated.
206 +
207 =cut
208
209 use IO::Socket;
210 --
211 1.7.2.2
212

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed